How to ban ip in MikroTik when connecting to a port?

B

Bohdan Zadorozhniy2021-06-18 11:30:41

SSH

Bohdan Zadorozhniy, 2021-06-18 11:30:41

I made the rules

add chain=input protocol=tcp dst-port=3389 connection-state=new action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=3389 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment=" "disabled=no

add chain=input protocol=tcp dst-port=3389 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m comment=" "disabled=no

add chain=input protocol=tcp dst-port=3389 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=10d comment=" "disabled=no

add chain=input protocol=tcp dst-port=3389 src-address-list=ssh_blacklist action=drop comment="drop ssh brute forcers" disabled=no

But after the ip is in these lists, they still let them on the correct ports and you can log in, please tell me how to make it so that the port that is included in the rule when you try to connect to it, then immediately ban and this ip is no longer could connect on no port at all

Thanks for your answers

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

K

Konstantin Zaitsev, 2021-06-18
@KonstantineZ

You need to disable the fasttrack and reverse the order of the rules. First, ban those on the ssh_blacklist, then process stage3, stage2, stage1, and finally new ones. At the very top, add an accept rule for established, related traffic, this rule will allow traffic to pass for a user who has successfully logged in to ssh.